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Synopsis: (U) To provide a synopsis of investigative matter and 

set-forth leads for each Field Office. 


(U) ClasSiMed^By: 4511^JCSTKC7b5 

Reason 

JDefflasSify^On: 2 / 127 ifiTD 8 ^-— 

Administrative:^/^ Reference Bureau teletype, dated 2/6/1998, 
to all field offices captioned "COMPUTER INTRUSIONS," 288-HQ- 
A1220460, and Bureau EC to all field offices, dated 2/9/1998, 
captioned "UNSUB(S); MULTIPLE INTRUSIONS INTO DOD NETWORKS; CITA 
MATTERS; 00: HQ." 

Details:W) By way of background, on February 1, 1998, DOD 

began detecting computer intrusions into its unclassified 
computer systems at various facilities in the United States 
(U.S.). These intrusions are ongoing. At least 11 DOD systems 
are known to have been compromised and recovery procedures have 
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been initiated. The intruder appears to have targeted domain 
name servers and obtained root status via exploitation of the 
"statd" vulnerability in the Solaris 2.4 operating system. 

Hacker tools imported from a University of Maryland site were 
used to gain entry. The intruder installed a sniffer program and 
then closed the vulnerability by transferring a patch from the 
University of North Carolina. A "backdoor" was created to. allow 
the intruder reentry to the system. Ref errai/consuit 


-X Numerous university computer sites in the U.S. 
appear to have been exploited in similar fashion. Internet 
service providers near those universities also appear to have 
been exploited to access, or attempt to access, DOD computer 
networks. Referral/Consult 



Referral/Consult 
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(U) The following leads are being set forth. 
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LEAD (s): 

Set Lead 1: 

ALL RECEIVING OFFICES 

1. Will expeditiously contact all logical 
sources for any information pertaining to intrusions into Air 
Force domain name severs using the "statd" exploit on Solaris 2.4 


be 

b7C 


telephone 


5 SSA 





or SSA 


Set Lead 2: 


WASHINGTON FIELD OFFICE. NVRA 


^ j/§() 1. Will conduct appropriate investigation at the 

University of Maryland to determine source of hacker tools b6 

asso ciated with Air Force DNS intrusions. Contact should be made bee 
with 


University of Maryland, 


WFO will obtain all necessary orders form DOJ to gain access to 
files and log data. Referral/Consult 


(U) 


X 


JThereafter, cbnduct 


appropriate follow up investigation. 


(U) 


^ 3. WFO Natio nal Computer Crimes Squad will open a 


separate investigation into 




of birth 

focusing on 


be 

b7C 


intrusions occurring at U.S. Naval bases. Will establish 
contacts and coordinate investigation with NCIS. 


^sfes^ET 
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